CVE-2026-42282: credential logging exposes OAuth

CISO Take

n8n-MCP's HTTP transport mode wrote raw MCP tool arguments — including bearer tokens, OAuth credentials, and API keys passed to n8n_manage_credentials — directly to server logs before any redaction occurred. For organizations running AI assistants that manage n8n workflow integrations, every credential-bearing tool call may have been silently persisted in log aggregators, SIEM pipelines, or shared log storage accessible to ops and support staff. While EPSS data is unavailable and no public exploits exist, the passive exposure is the core threat: credentials may already be sitting in your log infrastructure from prior tool calls. Patch immediately to v2.47.13 and rotate any n8n credentials that were handled via MCP tool calls in HTTP mode.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 4.3 (Medium) understates operational risk for AI-heavy deployments. The authentication requirement limits the initial trigger surface to privileged callers, but the logging flaw means credential material accumulates passively over time — the longer before patching, the larger the exposed credential set. In agentic pipelines where n8n manages OAuth integrations with Slack, GitHub, CRMs, and cloud platforms, compromised credentials enable significant lateral movement well beyond the n8n perimeter. No KEV listing, no public exploit code, and no EPSS data reduce immediate urgency, but the trivial exploitation path once log access is obtained warrants prompt patching and credential rotation.

How does the attack unfold?

Authenticated Access

Attacker or malicious insider obtains a valid AUTH_TOKEN for the n8n-MCP HTTP server through credential theft, reuse, or insider privilege.

AML.T0012

Tool Call Trigger

Authenticated MCP tool calls (n8n_manage_credentials and others) are issued to the HTTP server, causing the request dispatcher to log full JSON-RPC arguments including raw credential values before any redaction.

AML.T0053

Credential Harvesting

Attacker with access to log storage, SIEM, or log aggregation systems searches for and extracts plaintext OAuth tokens, API keys, and bearer tokens written to n8n-MCP server logs.

AML.T0055

Lateral Movement

Harvested credentials are used to authenticate directly to n8n-integrated third-party services (Slack, GitHub, cloud platforms, CRMs), bypassing the n8n perimeter entirely.

AML.T0091.000

Authenticated Access

Attacker or malicious insider obtains a valid AUTH_TOKEN for the n8n-MCP HTTP server through credential theft, reuse, or insider privilege.

AML.T0012

Tool Call Trigger

Authenticated MCP tool calls (n8n_manage_credentials and others) are issued to the HTTP server, causing the request dispatcher to log full JSON-RPC arguments including raw credential values before any redaction.

AML.T0053

Credential Harvesting

Attacker with access to log storage, SIEM, or log aggregation systems searches for and extracts plaintext OAuth tokens, API keys, and bearer tokens written to n8n-MCP server logs.

AML.T0055

Lateral Movement

Harvested credentials are used to authenticate directly to n8n-integrated third-party services (Slack, GitHub, cloud platforms, CRMs), bypassing the n8n perimeter entirely.

AML.T0091.000

How severe is it?

CVSS 3.1

4.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

6 steps

Upgrade n8n-mcp to v2.47.13 immediately — the patch introduces argument redaction before the logging layer.
Audit application logs from all n8n-MCP HTTP mode instances for raw credential values (search for 'n8n_manage_credentials', bearer token patterns, OAuth token formats, API key prefixes).
Rotate all n8n credentials that may have been passed as MCP tool arguments — OAuth tokens, API keys, webhook secrets.
If immediate patching is not possible, switch to stdio transport mode as a temporary workaround since it is not affected.
Review log access controls and restrict who can read application logs containing MCP request data.
Check SIEM forwarding rules and retention policies to identify whether credential-bearing log entries were shipped to external systems and for how long.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Data Extraction Agent Plugin AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0085.001 - AI Agent Tools

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 12 - Record-keeping and logging requirements

ISO 42001

A.8.3 - Data for AI systems — data management

NIST AI RMF

MANAGE 2.4 - Risks and benefits of AI are monitored and managed

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-42282?

n8n-MCP's HTTP transport mode wrote raw MCP tool arguments — including bearer tokens, OAuth credentials, and API keys passed to n8n_manage_credentials — directly to server logs before any redaction occurred. For organizations running AI assistants that manage n8n workflow integrations, every credential-bearing tool call may have been silently persisted in log aggregators, SIEM pipelines, or shared log storage accessible to ops and support staff. While EPSS data is unavailable and no public exploits exist, the passive exposure is the core threat: credentials may already be sitting in your log infrastructure from prior tool calls. Patch immediately to v2.47.13 and rotate any n8n credentials that were handled via MCP tool calls in HTTP mode.

Is CVE-2026-42282 actively exploited?

No confirmed active exploitation of CVE-2026-42282 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42282?

1. Upgrade n8n-mcp to v2.47.13 immediately — the patch introduces argument redaction before the logging layer. 2. Audit application logs from all n8n-MCP HTTP mode instances for raw credential values (search for 'n8n_manage_credentials', bearer token patterns, OAuth token formats, API key prefixes). 3. Rotate all n8n credentials that may have been passed as MCP tool arguments — OAuth tokens, API keys, webhook secrets. 4. If immediate patching is not possible, switch to stdio transport mode as a temporary workaround since it is not affected. 5. Review log access controls and restrict who can read application logs containing MCP request data. 6. Check SIEM forwarding rules and retention policies to identify whether credential-bearing log entries were shipped to external systems and for how long.

What systems are affected by CVE-2026-42282?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, MCP-based agent frameworks, n8n workflow automation with AI integrations, SIEM-connected agentic deployments, Multi-tenant log aggregation environments.

What is the CVSS score for CVE-2026-42282?

CVE-2026-42282 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsMCP-based agent frameworksn8n workflow automation with AI integrationsSIEM-connected agentic deploymentsMulti-tenant log aggregation environments

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Article 12

ISO 42001: A.8.3

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably n8n_manage_credentials.data — the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13.

Exploitation Scenario

An insider or attacker with read access to centralized log storage searches application logs from the n8n-MCP HTTP server. Because each authenticated MCP tool call to n8n_manage_credentials logged the full JSON-RPC payload, the attacker finds raw OAuth tokens and API keys for every n8n credential managed via the AI assistant. With no AI knowledge required, they extract the credential material using simple log search queries and authenticate directly to integrated third-party services — Slack workspaces, GitHub organizations, CRM platforms, or cloud infrastructure — pivoting laterally well beyond the n8n environment. The attack is entirely passive from the victim's perspective: the credentials were already written to logs during normal AI assistant operation.

Weaknesses (CWE)

CWE-532 Insertion of Sensitive Information into Log File Primary

CWE-532 — Insertion of Sensitive Information into Log File: The product writes sensitive information to a log file.

[Architecture and Design, Implementation] Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
[Distribution] Remove debug log files before deploying the application into production.

Source: MITRE CWE corpus.